Identity Governance offers several ways to help you manage your data sources.
IMPORTANT:If your Identity Governance database environment runs Oracle, you must turn on the SQL Tuning Advisor to optimize queries in the Oracle database.
The ability to export and import collectors helps you manage your environment in several ways.
Back up a working collector
Replicate an environment
Update collector details in a text editor
Troubleshoot collections
Configuring collectors can take time and go through several iterations of trial and error. When you have configured a collector that achieves the results you want, you should export it and save it with your other backup files. You can also use exported collectors to replicate an environment, either in a test environment or to use in another office location.
You could decide that you need to change the predefined attribute mappings and value transformation policies of a template to meet your specific environment. If you find that you need to customize a collector template, rather than only editing the values in a collector, you can export and import collector templates under Administration in Identity Governance. For more information, see Customizing the Collector Templates for Data Sources.
To export and import collectors:
Select a data source, and then select Test Collection and Troubleshooting.
Select Download and Emulation, and then select Download Data Source Configuration.
Select a location for the file, and then select OK.
If you make changes and want to import a collector, under Data Sources, select Identities or Applications, and then select Import an identity source or Import an application source.
Select the file to import.
When you need to show that you have complete and accurate data, you can compare collection and publication details from the same data source at two different collection or publication times. Identity Governance uses the defined data policies to produce the comparison details. For more information, see Section 30.0, Creating and Managing Data Policies.
To compare collections and publications from the same source:
Under Data Sources, select Activity.
(Optional) Select the calendar icon to focus the list on a specific time period.
(Optional) Enter a data source name in the search to focus the list on specific data sources.
(Optional) Change the number of rows per page to show a longer list.
(Optional) To quickly compare a collection or publication with the previous collection or publication, select the item from the Date and status column.
Select a listed collection or publication using the checkbox.
Select a collection or publication from the same source to compare to the first selection.
NOTE:You are able to select only one additional item from the same source and type.
Under Action, select Compare.
View changes and select links to view additional information about the changes. For example, if the number of changes is not zero, that number is a link. Selecting that link opens a quick view of the items that changed.
(Optional) To quickly view or open the applicable data policies, complete the following:
Select Refine comparison options.
Select or clear listed policies to change your comparison results.
Select Edit Policies to open the Data Administration > Data Policy page. For more information see, Creating and Editing Data Policies.
When creating, updating, or troubleshooting data collectors, you can test all or part of the collections without publishing the results to the catalog. When you test a collection, you either ensure that the collector is correctly configured, or you have the ability to change the collector configuration and quickly test again to check the results.
You can view the collected data as soon as the test collection completes, or you can download the results to view later. Results of test collections remain available in Identity Governance until you delete them.
When you run a test collection, you have some options for the test data:
All records
Some records
Raw data
Transformed data
When you select a subset of records to collect, you cannot control which records to collect. You could use this option if you want to quickly spot check a collector configuration rather than waiting for all the data to be collected.
Raw data contains attribute names from the native application. These attributes have not yet been transformed based on the mappings in the collector. Testing the raw data collection lets you verify that you are collecting the data you intend to collect before Identity Governance transforms it.
Transformed data contains attribute names that you have mapped from the native application to the attribute names you are using within Identity Governance. Testing the transformed data collection lets you verify that your mappings within the data collector meet your expectations.
To test a sample collection from a data source:
Select a configured data source.
Select Test Collection and Troubleshooting.
Under Test Collection, select the collectors, and then select Run Test Collection.
Select the specific entities to collect and type the number of records to collect or leave All to collect all records.
Select the option for the type of collection to run.
After the test collection shows Complete, select Action to view, download, or delete test collection results.
You can more easily troubleshoot collection configuration outside your production environment by creating emulation packages for data collectors. An emulation package contains CSV files with the raw collected data from the data source and a CSV file containing data source configuration details. Emulation packages remain available in Identity Governance until you delete them.
To create an emulation package:
Select a configured data source.
Select Test Collection and Troubleshooting.
Under Download and Emulation, select Create emulation package.
When the emulation status shows Complete, select Action to view, download, or delete the emulation package.
If you have upgraded from Identity Governance 2.5, use the Identity Source Migration utility to update your Active Directory, eDirectory, or Identity Manager data collector to accept change events. The identity collector you are migrating must publish using the Publish without merging or the Do not publish setting.
NOTE:eDirectory and IDM change event identity collectors are supported only in Identity Governance 3.0.1.
Upgrade to Identity Governance 3.0 and make sure Identity Governance is up and running.
Verify that the idgov/bin/rtc-migration.sh (Linux) c:\netiq\idm\apps\idgov\bin\rtc-mirgration.bat (Windows) file references the jar file idgov/lib/ig-migration.jar (Linux) c:\netiq\idm\apps\idgov\lib\ig-mirgration.jar (Windows).
Run the command-line utility from the server where Identity Governance is installed.
Linux: Default location of /opt/netiq/idm/apps/idgov/bin/rtc-migration.sh, then enter ./rtc-migration.sh
Windows: Default location of c:\netiq\idm\apps\idgov\bin\rtc-migration.bat, then enter rtc-migration.bat from a command line.
Provide the information needed to connect and authenticate to Identity Governance and the authentication server. When the utility successfully connects, it displays a numbered list of discovered identity sources.
Enter the number displayed next to the identity source to migrate.
After the utility runs checks to determine migration suitability, either confirm to proceed with the migration, if the checks succeeded, or review messages for failed checks and either address the problem areas, select a different source, or quit the utility.
(Conditional) If you confirm to proceed with migration, enter a local file name for the utility to back up the current collector configuration.
After the utility applies updates and exits with a success message, you can view the following updates to the collector configuration when viewed in Identity Governance:
The template (just under the name of the collector) has been changed to the with changes template corresponding to the one prior to the update.
After the Collector name is a new Enable Change Event Collection option, which is unchecked. To enable event processing, select this option, and then collect and publish the identity source.
No changes are made to the Service Parameters.
Under Collect Identity (the user view):
The Base Dn parameter is no longer required, but the value has not been changed. Omitting a value here will cause the entire LDAP tree to be collected.
(Conditional) For Active Directory identity event source, a new parameter, LDAP Search Filter for Identity Object Changes, has been added, with the value (objectClass=user). This parameter identifies events in Active Directory's DirSync or AD Connect that should be delivered in this view to Identity Governance. Only modify this parameter if there are other object classes in the local AD that correspond to users and only by adding other objectClass terms to an LDAP expression.
(Conditional) For Active Directory identity event source, a new parameter, AD Object Categories for Changes, has been added with the value user. You can modify this value if needed by adding other object category names in a comma-separated list.
User ID from Source has been set to OBJ_ID. Do not change.
The Object GUID parameter is now required. Its value is set to objectGUID. Do not change.
LDAP Distinguished Name has been set to OBJ_ID. You can remove this value if there's no need to collect dn separately from the userId, but you should not assign any other value.
Under Collect Group (the group view):
The Base Dn parameter is no longer required, but the value has not been changed. Omitting a value here will cause the entire LDAP tree to be collected.
A new parameter LDAP Search Filter for Identity Object Changes has been added, with the value (objectClass=group). This parameter identifies events in Active Directory DirSync or AD Connect that should be delivered in this view to Identity Governance. Only modify this value if there are other object classes in the local AD that correspond to groups and only by adding other objectClass terms to an LDAP expression.
A new parameter AD Object Categories for Changes has been added with value group. You can modify if needed by adding other object category names in a comma-separated list.
Group ID from Source has been set to OBJ_ID. Do not change.
A new parameter Object GUID has been added with value objectGUID. Do not change.